InfoSec Handlers Diary Blog

Microsoft has issued a Security Advisory for the vulnerability in the Windows Help and Support
Centre function that is delivered with supported editions of Windows XP and Windows Server 2003.
The information is referenced under CVE-2010-1885.

"We are aware of a publicly disclosed vulnerability affecting Windows XP and Windows Server 2003.
We are not aware of any current exploitation of this issue and customers running Windows Vista,
Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not vulnerable to this
issue, or at risk of attack."

Microsoft warns that the analysis from the original disclosure of the event is incomplete and the
workaround provided by Google is incomplete. They have made recommendations for and have
given the steps to unregister the hcp protocol to protect from exploitation. See the information for
mitigation at:

Computerworld this week posted a rather thought provoking article on the risks that Social Networking
sites may pose on a company or organization. We all know that even if we tell the employees that
discussion of work related issues is strictly forbidden that there is a good possibility that it will slip
through. We also know that social networking sites are laden with badware/malware and viruses.
That is the nature of the beast. But are there other issues to consider. My company has been
discussing just this issue at length. We have a policy but we know that it is not near comprehensive
enough.

Some of you may have noticed that I was a little slow in getting started this morning.
I wasn't prompt with replying to your emails. For that I apologize. I thought it would be
good if I explained why.

At my day job/paid job one of my responsibilities is handling abuse complaints, another
responsibility is cleaning up mail servers that are doing bad things. The two usually go
hand and hand and generally are due to something one or more of the users did. Today
was no exception. I logged into my email this morning and immediately knew I had a
problem. I knew how the first half of my day was going to go. I had several hundred
abuse reports for one of my mail servers. I immediately began to investigate what
was going on with the server. I soon discovered that I had over 33,000 emails queued
up and a bunch of bounces for undeliverable emails to domains like hotmail, yahoo,
comcast, aol, etc. I began to review the emails and soon realized that someone had
logged into the webmail on the server with userid's on the box and sent emails. All of
the emails indicated the webaccess came from ip's in 41.138.x.x which happens to be
in Africnic's world. This particular server is a local server and I knew that it was highly
unlikely that someone would be legitmately logging in from Africa. I immediately blocked
the CIDR from accessing the server and cleaned up the emails so that no more would
get out. After the cleanup was done I began reviewing the logs for the webmail service.

Sure enough, I discovered that 3 valid userid's had indeed been used to login to the server
from the 41.138.x.x ip's. I immediately changed the passwords on the 3 accounts so that the
spammers could not login again from a different CIDR. Once the passwords were changed
I notified the customers of the situation.

I soon discovered that yesterday an email had been sent to the users on this adomain.net
(name changed to protect the domain). Here is what the email said:

Dear adomain.net Subscriber,

We are currently carrying-out a maintenance process to your adomain.net account, to
complete this, you must reply to this mail immediately, and enter your User Name
here (,,,,,,,,) And Password here (.......) if you are the rightful owner of
this account.

This process we help us to fight against spam mails. Failure to summit your password,
will render your email address in-active from our database.

NOTE: If your have done this before, you may ignore this mail. You will be send a
password reset messenge in next seven (7) working days after undergoing this process
for security reasons.

Thank you for using adomain.net!
THE adomain.net TEAM

Inspite of multiple warnings in the past to the users on this domain, three of them responded
to the email. Those three logins were then used last night to login to the webmail and send
the emails. Now some of you reading this are probably just shaking your head and wondering
why end users are so gullible. Well, I am with you on that. If you read the content of the email
you will soon realize that the email contained a number of grammatical errors and it is pretty
obvious that it is a poor attempt at English grammar. Most of us would just ignore the email and
delete it. Not these users... They fell for it hook, line and sinker.

I put this out for you because we have received inquiries from several other folks today about this
or a similar phish. Remind your employees/users that these emails are bogus and bad - not to
respond to them. If you are on any of my mail servers.... I thank you heartedly. This mornings
little investigation and cleanup took out 3 otherwise product hours from my day.

Some of you may have seen the article about an iPad security breach. Some of the information floating around is leading readers to believe that it is an
iPhone software problem. It is not, the issue is with a web application not the iPhone or iPad software.

"Apparently, the breach was the result of a web application vulnerability on an AT&T site. This allowed a malcontent to guess
at an AT&T SIM card identifier (the so-called ICC-ID) and – if the ICC-ID was issued to an iPad – to use it to retrieve the email address
of the iTunes account associated with the device."

The fact that this happened is bad, however the amount of incorrect information circulating the Net is even worse. For the whole story see the
Sophos blog.